255 lines
10 KiB
YAML
255 lines
10 KiB
YAML
# nameOverride is the short name for the deployment. Leave empty to let Helm generate a name using chart values.
|
|
nameOverride: "elastic-operator"
|
|
|
|
# fullnameOverride is the full name for the deployment. Leave empty to let Helm generate a name using chart values.
|
|
fullnameOverride: "elastic-operator"
|
|
|
|
# managedNamespaces is the set of namespaces that the operator manages. Leave empty to manage all namespaces.
|
|
managedNamespaces: []
|
|
|
|
# installCRDs determines whether Custom Resource Definitions (CRD) are installed by the chart.
|
|
# Note that CRDs are global resources and require cluster admin privileges to install.
|
|
# If you are sharing a cluster with other users who may want to install ECK on their own namespaces, setting this to true can have unintended consequences.
|
|
# 1. Upgrades will overwrite the global CRDs and could disrupt the other users of ECK who may be running a different version.
|
|
# 2. Uninstalling the chart will delete the CRDs and potentially cause Elastic resources deployed by other users to be removed as well.
|
|
installCRDs: true
|
|
|
|
# replicaCount is the number of operator pods to run.
|
|
replicaCount: 1
|
|
|
|
image:
|
|
# repository is the container image prefixed by the registry name.
|
|
repository: docker.elastic.co/eck/eck-operator
|
|
# pullPolicy is the container image pull policy.
|
|
pullPolicy: IfNotPresent
|
|
# tag is the container image tag. If not defined, defaults to chart appVersion.
|
|
tag: null
|
|
|
|
# priorityClassName defines the PriorityClass to be used by the operator pods.
|
|
priorityClassName: ""
|
|
|
|
# imagePullSecrets defines the secrets to use when pulling the operator container image.
|
|
imagePullSecrets: []
|
|
|
|
# resources define the container resource limits for the operator.
|
|
resources:
|
|
limits:
|
|
cpu: 1
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 150Mi
|
|
|
|
# podAnnotations define the annotations that should be added to the operator pod.
|
|
podAnnotations: {}
|
|
|
|
## podLabels define additional labels that should be added to the operator pod.
|
|
podLabels: {}
|
|
|
|
# podSecurityContext defines the pod security context for the operator pod.
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
|
|
# securityContext defines the security context of the operator container.
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
|
|
# nodeSelector defines the node selector for the operator pod.
|
|
nodeSelector: {}
|
|
|
|
# tolerations defines the node tolerations for the operator pod.
|
|
tolerations: []
|
|
|
|
# affinity defines the node affinity rules for the operator pod.
|
|
affinity: {}
|
|
|
|
# podDisruptionBudget configures the minimum or the maxium available pods for voluntary disruptions,
|
|
# set to either an integer (e.g. 1) or a percentage value (e.g. 25%).
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
minAvailable: 1
|
|
# maxUnavailable: 3
|
|
|
|
# additional environment variables for the operator container.
|
|
env: []
|
|
|
|
# additional volume mounts for the operator container.
|
|
volumeMounts: []
|
|
|
|
# additional volumes to add to the operator pod.
|
|
volumes: []
|
|
|
|
# createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
|
|
createClusterScopedResources: true
|
|
|
|
serviceAccount:
|
|
# create specifies whether a service account should be created for the operator.
|
|
create: true
|
|
# annotations to add to the service account
|
|
annotations: {}
|
|
# name of the service account to use. If not set and create is true, a name is generated using the fullname template.
|
|
name: ""
|
|
|
|
tracing:
|
|
# enabled specifies whether APM tracing is enabled for the operator.
|
|
enabled: false
|
|
# config is a map of APM Server configuration variables that should be set in the environment.
|
|
config:
|
|
ELASTIC_APM_SERVER_URL: http://localhost:8200
|
|
ELASTIC_APM_SERVER_TIMEOUT: 30s
|
|
|
|
refs:
|
|
# enforceRBAC specifies whether RBAC should be enforced for cross-namespace associations between resources.
|
|
enforceRBAC: false
|
|
|
|
webhook:
|
|
# enabled determines whether the webhook is installed.
|
|
enabled: true
|
|
# caBundle is the PEM-encoded CA trust bundle for the webhook certificate. Only required if manageCerts is false and certManagerCert is null.
|
|
caBundle: Cg==
|
|
# certManagerCert is the name of the cert-manager certificate to use with the webhook.
|
|
certManagerCert: null
|
|
# certsDir is the directory to mount the certificates.
|
|
certsDir: "/tmp/k8s-webhook-server/serving-certs"
|
|
# failurePolicy of the webhook.
|
|
failurePolicy: Ignore
|
|
# manageCerts determines whether the operator manages the webhook certificates automatically.
|
|
manageCerts: true
|
|
# namespaceSelector corresponds to the namespaceSelector property of the webhook.
|
|
# Setting this restricts the webhook to act only on objects submitted to namespaces that match the selector.
|
|
namespaceSelector: {}
|
|
# objectSelector corresponds to the objectSelector property of the webhook.
|
|
# Setting this restricts the webhook to act only on objects that match the selector.
|
|
objectSelector: {}
|
|
# port is the port that the validating webhook binds to.
|
|
port: 9443
|
|
|
|
# hostNetwork allows a Pod to use the Node network namespace.
|
|
# This is required to allow for communication with the kube API when using some alternate CNIs in conjunction with webhook enabled.
|
|
# CAUTION: Proceed at your own risk. This setting has security concerns such as allowing malicious users to access workloads running on the host.
|
|
hostNetwork: false
|
|
|
|
softMultiTenancy:
|
|
# enabled determines whether the operator is installed with soft multi-tenancy extensions.
|
|
# This requires network policies to be enabled on the Kubernetes cluster.
|
|
enabled: false
|
|
|
|
# kubeAPIServerIP is required when softMultiTenancy is enabled.
|
|
kubeAPIServerIP: null
|
|
|
|
telemetry:
|
|
# disabled determines whether the operator periodically updates ECK telemetry data for Kibana to consume.
|
|
disabled: false
|
|
# distributionChannel denotes which distribution channel was used to install the operator.
|
|
distributionChannel: "helm"
|
|
|
|
# config values for the operator.
|
|
config:
|
|
# logVerbosity defines the logging level. Valid values are as follows:
|
|
# -2: Errors only
|
|
# -1: Errors and warnings
|
|
# 0: Errors, warnings, and information
|
|
# number greater than 0: Errors, warnings, information, and debug details.
|
|
logVerbosity: "0"
|
|
|
|
# metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
|
|
metricsPort: "0"
|
|
|
|
# containerRegistry to use for pulling Elasticsearch and other application container images.
|
|
containerRegistry: docker.elastic.co
|
|
|
|
# containerRepository to use for pulling Elasticsearch and other application container images.
|
|
# containerRepository: ""
|
|
|
|
# containerSuffix suffix to be appended to container images by default. Cannot be combined with -ubiOnly flag
|
|
# containerSuffix: ""
|
|
|
|
# maxConcurrentReconciles is the number of concurrent reconciliation operations to perform per controller.
|
|
maxConcurrentReconciles: "3"
|
|
|
|
# caValidity defines the validity period of the CA certificates generated by the operator.
|
|
caValidity: 8760h
|
|
|
|
# caRotateBefore defines when to rotate a CA certificate that is due to expire.
|
|
caRotateBefore: 24h
|
|
|
|
# certificatesValidity defines the validity period of certificates generated by the operator.
|
|
certificatesValidity: 8760h
|
|
|
|
# certificatesRotateBefore defines when to rotate a certificate that is due to expire.
|
|
certificatesRotateBefore: 24h
|
|
|
|
# exposedNodeLabels is an array of regular expressions of node labels which are allowed to be copied as annotations on Elasticsearch Pods.
|
|
exposedNodeLabels: [ "topology.kubernetes.io/.*", "failure-domain.beta.kubernetes.io/.*" ]
|
|
|
|
# setDefaultSecurityContext determines whether a default security context is set on application containers created by the operator.
|
|
# *note* that the default option now is "auto-detect" to attempt to set this properly automatically when both running
|
|
# in an openshift cluster, and a standard kubernetes cluster. Valid values are as follows:
|
|
# "auto-detect" : auto detect
|
|
# "true" : set pod security context when creating resources.
|
|
# "false" : do not set pod security context when creating resources.
|
|
setDefaultSecurityContext: "auto-detect"
|
|
|
|
# kubeClientTimeout sets the request timeout for Kubernetes API calls made by the operator.
|
|
kubeClientTimeout: 60s
|
|
|
|
# elasticsearchClientTimeout sets the request timeout for Elasticsearch API calls made by the operator.
|
|
elasticsearchClientTimeout: 180s
|
|
|
|
# validateStorageClass specifies whether storage classes volume expansion support should be verified.
|
|
# Can be disabled if cluster-wide storage class RBAC access is not available.
|
|
validateStorageClass: true
|
|
|
|
# enableLeaderElection specifies whether leader election should be enabled
|
|
enableLeaderElection: true
|
|
|
|
# Interval between observations of Elasticsearch health, non-positive values disable asynchronous observation.
|
|
elasticsearchObservationInterval: 10s
|
|
|
|
# Prometheus PodMonitor configuration
|
|
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitor
|
|
podMonitor:
|
|
|
|
# enabled determines whether a podMonitor should deployed to scrape the eck metrics.
|
|
# This requires the prometheus operator and the config.metricsPort not to be 0
|
|
enabled: false
|
|
|
|
# labels adds additional labels to the podMonitor
|
|
labels: {}
|
|
|
|
# annotations adds additional annotations to the podMonitor
|
|
annotations: {}
|
|
|
|
# namespace determines in which namespace the podMonitor will be deployed.
|
|
# If not set the podMonitor will be created in the namespace where the Helm release is installed into
|
|
# namespace: monitoring
|
|
|
|
# interval specifies the interval at which metrics should be scraped
|
|
interval: 5m
|
|
|
|
# scrapeTimeout specifies the timeout after which the scrape is ended
|
|
scrapeTimeout: 30s
|
|
|
|
# podTargetLabels transfers labels on the Kubernetes Pod onto the target.
|
|
podTargetLabels: []
|
|
|
|
# podMetricsEndpointConfig allows to add an extended configuration to the podMonitor
|
|
podMetricsEndpointConfig: {}
|
|
# honorTimestamps: true
|
|
|
|
# Globals meant for internal use only
|
|
global:
|
|
# manifestGen specifies whether the chart is running under manifest generator.
|
|
# This is used for tasks specific to generating the all-in-one.yaml file.
|
|
manifestGen: false
|
|
# createOperatorNamespace defines whether the operator namespace manifest should be generated when in manifestGen mode.
|
|
# Usually we do want that to happen (e.g. all-in-one.yaml) but, sometimes we don't (e.g. E2E tests).
|
|
createOperatorNamespace: true
|
|
# kubeVersion is the effective Kubernetes version we target when generating the all-in-one.yaml.
|
|
kubeVersion: 1.21.0
|